Sean McBride of Critical Intelligence presented Documenting the “Lost Decade:” An Analysis of Publicly-Disclosed ICS-Specific Vulnerabilities since 2001. It’s by far the most comprehensive analysis of ICS vulns with a lot of interesting stats.
It’s high quality video so expand to full screen to see the detailed slides.
Sean has some very interesting examples of hardware and software components with vulns that are never updated. We saw this with the LiveData ICCP server vuln that Matt Franz found while he was at Digital Bond. Sean covers this in his presentation.
The presentation includes a large number of data, charts and specific examples. There are break downs of vendors, researchers, where they came from, what they exploited and a lot more. For example:
- ICS specific disclosed vulnerabilities doubled in 2010 from 2009
- ICS specific disclosed vulnerabilities in 2011 were twice as much as all previously disclosed vulnerabilities
- Sean believes 2012 will actually see a decrease in disclosed vulnerabilities
- Iconics “led” with 29 disclosed vulns with Siemens a close second with 28
- The bad news is those vendors and many others have only patched half of the vulns
- ICS-CERT stated 60% of the ICS patches did not fix the problem
Critical Intelligence provides the ICS Security Calendar on digitalbond.com. I call them the Gartner Group for ICS security — but only in the good ways. Click here to learn more about Critical Intelligence.